Safe Harbor Enforcement Overview

Federal and State "Unfair and Deceptive Practices" Authority and Privacy

This memorandum outlines the authority of the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended) to take action against those who fail to protect the privacy of personal information in accordance with their representations and/or commitments to do so. It also addresses the exceptions to that authority and the ability of other federal and state agencies to take action where the FTC does not have authority.(1)

FTC Authority over Unfair or Deceptive Practices

Section 5 of the Federal Trade Commission Act declares "unfair or deceptive acts or practices in or affecting commerce" to be illegal. 15 U.S.C. § 45(a)(1). Section 5 confers on the FTC the plenary power to prevent such acts and practices. 15 U.S.C. § 45(a)(2). Accordingly, the FTC may, upon conducting a formal hearing, issue a "cease and desist" order to stop the offending conduct. 15 U.S.C. § 45(b). If it would be in the public interest to do so, the FTC can also seek a temporary restraining order or temporary or permanent injunction in U.S. district court. 15 U.S.C. § 53(b). In cases where there is a widespread pattern of unfair or deceptive acts or practices, or where it has already issued cease and desist orders on the matter, the FTC may promulgate an administrative rule prescribing the acts or practices involved. 15 U.S.C. § 57a.

Anyone who does not comply with an FTC order is subject to a civil penalty of up to $11,000, with each day of a continuing violation constituting a separate violation.(2) 15 U.S.C. § 45(l). Likewise, anyone who knowingly violates an FTC rule is liable for $11,000 for each violation. 15 U.S.C. § 45(m). Enforcement actions can be brought by either the Department of Justice, or if it declines by the FTC. 15 U.S.C. § 56.

FTC Authority and Privacy

In exercising its Section 5 authority, the FTC takes the position that misrepresenting why information is being collected from consumers or how the information will be used constitutes a deceptive practice.(3) For example, in 1998, the FTC filed a complaint against GeoCities for disclosing information it had collected on its Web site to third parties for purposes of solicitation, and without prior permission, despite its representations to the contrary.(4) The FTC staff has also asserted that the collection of personal information from children, and sale and disclosure of that information, without the parents' consent is likely to be an unfair practice.(5)

In a letter to Director General John Mogg of the European Commission, FTC Chairman Pitofsky noted the limitations on the FTC's authority to protect privacy where there has not been a misrepresentation (or no representation at all) as to how the information collected will be used. FTC Chairman Pitofsky letter to John Mogg (September 23, 1998). However, companies that want to avail themselves of the proposed "safe harbor" will have to certify that they will protect the information they collect in accordance with prescribed guidelines. Consequently, where a company certifies that it will safeguard the privacy of information and then fails to do so, such action would be a misrepresentation and a "deceptive practice" within the meaning of Section 5.

As the FTC's jurisdiction extends to unfair or deceptive acts or practices "in or affecting commerce," the FTC will not have jurisdiction over the collection and use of personal information for noncommercial purposes, charitable fund-raising for example. See Pitofsky letter, p. 3. However, the use of personal information in any commercial transaction will satisfy this jurisdictional predicate. Thus, for example, the sale by an employer of personal information on its employees to a direct marketer would bring the transaction within the purview of Section 5.

Section 5 Exceptions

Section 5 establishes exceptions to the FTC's authority over unfair or deceptive acts or practices with respect to:

financial institutions, including banks, savings and loans, and credit unions;

telecommunications and interstate transportation common carriers;

air carriers; and

packers and stockyard operators.

See 15 U.S.C. § 45(a)(2). We discuss each exception, and the regulatory authority that takes its place, below.

Financial Institutions(6)

The first exception applies to "banks, savings and loan institutions described in section 18(f)(3) [15 U.S.C. § 57a(f)(3)]" and "Federal credit unions described in section 18(f)(4) [15 U.S.C. § 57a(f)(4)]."(7) These financial institutions are instead subject to regulations issued by the Federal Reserve Board, the Office of Thrift Supervision(8), and the National Credit Union Administration Board, respectively. See 15 U.S.C. § 57a(f). These regulatory agencies are directed to prescribe the regulations necessary to prevent unfair and deceptive practices by these financial institutions(9) and to establish a separate division to handle consumer complaints. 15 U.S.C. § 57a(f)(1). Finally, authority for enforcement derives from section 8 of the Federal Deposit Insurance Act (12 U.S.C. § 1818), for banks and savings and loans, and sections 120 and 206 of the Federal Credit Union Act, for Federal credit unions. 15 U.S.C. §§ 57a(f)(2)-(4).

Although the insurance industry is not specifically included in the list of exceptions in Section 5, the McCarran-Ferguson Act (15 U.S.C. § 1011 et seq.) generally leaves the regulation of the business of insurance to the individual states.(10) Furthermore, pursuant to section 2(b) of the McCarran-Ferguson Act, no federal law will invalidate, impair, or supersede state regulation "unless such Act specifically relates to the business of insurance." 15 U.S.C. § 1012(b). However, the provisions of the FTC Act apply to the insurance industry "to the extent that such business is not regulated by State law." Id. It should also be noted that McCarran-Ferguson defers to the states only with respect to "the business of insurance." Therefore, the FTC retains residual authority over unfair or deceptive practices by insurance companies when they are not engaged in the business of insurance. This could include, for example, when insurers sell personal information about their policy holders to direct marketers of non-insurance products.(11)

Common Carriers

The second Section 5 exception extends to those common carriers that are "subject to the Acts to regulate commerce." 15 U.S.C. § 45(a)(2). In this case, the "Acts to regulate commerce" refer to subtitle IV of Title 49 of the United States Code and to the Communications Act of 1934 (47 U.S.C. § 151 et seq.) (the Communications Act). See 15 U.S.C. § 44.

49 U.S.C. subtitle IV (Interstate Transportation) covers rail carriers, motor carriers, water carriers, brokers, freight forwarders, and pipeline carriers. 49 U.S.C. § 10101 et seq. These various common carriers are subject to regulation by the Surface Transportation Board, an independent agency within the Department of Transportation. 49 U.S.C. §§ 10501, 13501, and 15301. In each instance, the carrier is prohibited from disclosing information about the nature, destination, and other aspects of its cargo that might be used to the shipper's detriment. See 49 U.S.C. §§ 11904, 14908, and 16103. We note that these provisions refer to information regarding the shipper's cargo and thus do not appear to extend to personal information about the shipper that is unrelated to the shipment in question.

As for the Communications Act, it provides for the regulation of "interstate and foreign commerce in communication by wire and radio" by the Federal Communications Commission (FCC). See 47 U.S.C. §§ 151 and 152. In addition to common carrier telecommunications companies, the Communications Act also applies to companies such as television and radio broadcasters and cable service providers which are not common carriers. As such, these latter companies do not qualify for the exception under Section 5 of the FTC Act. Thus, the FTC has jurisdiction to investigate these companies for unfair and deceptive practices, while the FCC has concurrent jurisdiction to enforce its independent authority in this area as described below.

Under the Communications Act, "every telecommunications carrier," including local exchange carriers, has a duty to protect the privacy of customer proprietary information.(12) 47 U.S.C. § 222(a). In addition to this general privacy-protection authority, the Communications Act was amended by the Cable Communications Policy Act of 1984 (the Cable Act), 47 U.S.C. § 521 et seq., to mandate specifically that cable operators protect the privacy of "personally identifiable information" on cable subscribers. 47 U.S.C. § 551.(13) The Cable Act restricts the collection of personal information by cable operators and requires the cable operator to notify the subscriber of the nature of the information collected and how that information will be used. The Cable Act gives subscribers the right of access to the information about them and requires cable operators to destroy that information when it's no longer needed.

The Communications Act empowers the FCC to enforce these two privacy provisions, either at its own initiation or in response to an outside complaint.(14) 47 U.S.C. §§ 205, 403; id. § 208. If the FCC determines that a telecommunications carrier (including a cable operator) has violated the privacy provisions of section 222 or section 551, there are three basic actions it may take. First, after a hearing and determination of violation, the Commission may order the carrier to pay monetary damages.(15) 47 U.S.C. § 209. Alternatively, the FCC may order the carrier to cease and desist from the offending practice or omission. 47 U.S.C. § 205(a). Finally, the Commission may also order an offending carrier to "conform to and observe [any] regulation or practice" that the FCC may prescribe. Id.

Private persons who believe a telecommunications carrier or cable operator has violated the relevant provisions of the Communications Act or the Cable Act may either file a complaint with the FCC or take their claims to a federal district court. 47 U.S.C. § 207. A complainant who prevails in a federal court action against a telecommunications carrier for failure to protect customer proprietary information under the broader section 222 of the Communications Act may be awarded actual damages and attorneys' fees. 47 U.S.C. § 206. A complainant who files suit claiming a privacy violation under the cable-specific section 551 of the Cable Act may, in addition to actual damages and attorneys' fees, also be awarded punitive damages and reasonable litigation costs. 47 U.S.C. § 551(f).

The FCC has adopted detailed rules to implement section 222. See 47 CFR 64.2001-2009. The rules set out specific safeguards to protect against unauthorized access to customer proprietary network information. The regulations require telecommunications carriers to:

develop and implement software systems that "flag" a customer's notice/approval status when the customer's service record first comes on-screen;

maintain an electronic "audit trail" to track access to a customer's account, including when a customer's record is opened, by whom, and for what purpose;

train their personnel on the authorized use of customer proprietary network information, with appropriate disciplinary processes in place;

establish a supervisory review process to ensure compliance when conducting outbound marketing; and

certify to the FCC, on an annual basis, how they are complying with these regulations.

Air Carriers

U.S. and foreign air carriers that are subject to Federal Aviation Act of 1958 are also exempt from Section 5 of the FTC Act. See 15 U.S.C. § 45(a)(2). This includes anyone who provides interstate or foreign transportation of goods or passengers, or who transports mail, by aircraft. See 49 U.S.C. § 40102. Air carriers are subject to the authority of the Department of Transportation. In this regard, the Secretary of Transportation is authorized to take action "preventing unfair, deceptive, predatory, or anticompetitive practices in air transportation." 49 U.S.C. § 40101(a)(9). The Secretary of Transportation can investigate whether a U.S. or foreign air carrier, or a ticket agent, has engaged in an unfair or deceptive practice if it is in the public interest. 49 U.S.C. § 41712. After a hearing, the Secretary of Transportation can issue an order to stop the illegal practice. Id. To our knowledge, the Secretary of Transportation has not exercised this authority to address the issue of protecting the privacy of personal information about airline customers.(16)

There are two provisions protecting the privacy of personal information that apply to air carriers in specific contexts. First, the Federal Aviation Act protects the privacy of pilot applicants. See 49 U.S.C. § 44936(f). While allowing air carriers to obtain an applicant's employment records, the Act gives the applicant the right to notice that the records have been requested, to give consent to the request, to correct inaccuracies, and to have the records divulged only to those involved in the hiring decision. Second, DOT regulations require passenger manifest information collected for government use in the event of an aviation disaster to "be kept confidential and released only to the U.S. Department of State, the National Transportation Board (upon the NTSB's request), and the U.S. Department of Transportation." 14 CFR part 243, § 243.9(c) (as added by 63 FR 8258).

Packers and Stockyards

With regard to the Packers and Stockyards Act of 1921 (7 U.S.C. § 181 et seq.), the Act makes it unlawful for "any packer with respect to livestock, meats, meat food products, or livestock products in unmanufactured form, or for any live poultry dealer with respect to live poultry, to engage in or use any unfair, unjustly discriminatory, or deceptive practice or device." 7 U.S.C. § 192(a); see also 7 U.S.C. § 213(a) (prohibiting "any unfair, unjustly discriminatory, or deceptive practice or device" in connection with livestock). The Secretary of Agriculture has the primary responsibility to enforce these provisions, while the FTC retains jurisdiction over retail transactions and those involving the poultry industry. 7 U.S.C. § 227(b)(2).

It is not clear whether the Secretary of Agriculture will interpret the failure by a packer or stockyard operator to protect personal privacy in accordance with stated policy to be a "deceptive" practice under the Packers and Stockyards Act. However, the Section 5 exception applies to persons, partnerships, or corporations only "insofar as they are subject to the Packers and Stockyards Act," Therefore, if personal privacy is not an issue within the purview of the Packers and Stockyards Act, then the exception in Section 5 may very well not apply and packers and stockyard operators would be subject to the authority of the FTC in that regard.

State "Unfair and Deceptive Practices" Authority

According to an analysis prepared by FTC staff, "All fifty states plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted laws more or less like the Federal Trade Commission Act ("FTCA") to prevent unfair or deceptive trade practices." FTC fact sheet, reprinted in Comment, Consumer Protection: The Practical Effectiveness of State Deceptive Trade Practices Legislation, 59 Tul. L. Rev. 427 (1984). In all cases, an enforcement agency has the authority "to conduct investigations through the use of subpoenas or civil investigative demands, obtain assurances of voluntary compliance, to issue cease and desist orders or obtain court injunctions preventing the use of unfair, unconscionable or deceptive trade practices." Id. In 46 jurisdictions, the law allows private actions for actual, double, treble, or punitive damages and, in some cases, recovery of costs and attorney's fees. Id.

Florida's Deceptive and Unfair Trade Practices Act, for example, authorizes the attorney general to investigate and file civil actions against "unfair methods of competition, unfair, unconscionable or deceptive trade practices," including false or misleading advertising, misleading franchise or business opportunities, fraudulent telemarketing, and pyramid schemes. See also N.Y. General Business Law § 349 (prohibiting unfair acts and deceptive practices carried out in the course of business).

A survey conducted this year by the National Association of Attorneys General (NAAG) confirms these findings. Of forty-three states that responded, all have "mini-FTC" statutes or other statutes that provide comparable protection. Also according to the NAAG survey, 39 states indicated they would have the authority to hear complaints by non-residents. With respect to consumer privacy, in particular, 37 out of forty-one states that responded indicated that they would respond to complaints alleging that a company within their jurisdiction was not adhering to its self-declared privacy policy.

1. We do not discuss here all the various Federal statutes that address privacy in specific contexts or state statutes and common law that might apply. Statutes at the federal level that regulate the commercial collection and use of personal information include the Cable Communications Policy Act (47 U.S.C. § 551), the Driver's Privacy Protection Act (18 U.S.C. § 2721), the Electronic Communications Privacy Act (18 U.S.C. § 2701 et seq.), the Electronic Funds Transfer Act (15 U.S.C. §§ 1693, 1693m), the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.), the Right to Financial Privacy Act (12 U.S.C. § 3401 et seq.), the Telephone Consumer Protection Act (47 U.S.C. § 227), and the Video Privacy Protection Act (18 U.S.C. § 2710), among others. Many states have analogous legislation in these areas. See, e.g., Mass. Gen. Laws ch. 167B, § 16 (prohibiting financial institutions from disclosing customer's financial records to a third party without either the customer's consent or legal process), N.Y. Pub. Health Law § 17 (limiting use and disclosure of medical or mental health records and giving patients the right of access thereto).

2. In such an action, the United States district court can also order injunctive and equitable relief appropriate to enforcing the FTC order. 15 U.S.C. § 45(l)

3. "Deceptive practice" is defined as a representation, omission or practice that is likely to mislead reasonable consumers in a material fashion.

5. See staff letter to Center for Media Education, www.ftc.gov/os/1997/9707/cenmed.htm. In addition, the Children's Online Privacy Protection Act of 1998 confers on the FTC specific legal authority to regulate the collection of personal information from children by website and online service operators. See 15 U.S.C. §§ 6501-6506. In particular, the act requires online operators to give notice and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Id., § 6502(b). The act also gives parents a right of access and to refuse permission for the continued use of the information. Id.

6. On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley Act (Pub. L. 106-102, codified at 15 U.S.C. § 6801 et seq.) into law. The Act limits the disclosure by financial institutions of personal information about their customers. The Act requires financial institutions to, inter alia, notify all customers of their privacy policies and practices with respect to the sharing of personal information with affiliates and non-affiliates. The Act authorizes the FTC, the Federal banking authorities and other authorities to promulgate regulations to implement the privacy protections required by the statute. The agencies have issued proposed regulations for this purpose.

7. By its terms, this exception does not apply to the securities sector. Therefore, brokers, dealers and others in the securities industry are subject to the concurrent jurisdiction of the Securities and Exchange Commission and the FTC with respect to unfair or deceptive acts and practices.

8. The exception in Section 5 originally referred to the Federal Home Loan Bank Board which was abolished in August 1989 by the Financial Institutions Reform, Recovery and Enforcement Act of 1989. Its functions were transferred to the Office of Thrift Supervision and to the Resolution Trust Corporation, the Federal Deposit Insurance Corporation, and the Housing Finance Board.

9. While removing financial institutions from the FTC's jurisdiction, Section 5 also stipulates that whenever the FTC issues a rule on unfair or deceptive acts and practices, the financial regulatory Boards should adopt parallel regulations within 60 days. See 15 U.S.C. § 57a(f)(1).

10. "The business of insurance, and every person engaged therein, shall be subject to the laws of the several States which relate to the regulation or taxation of such business." 15 U.S.C. § 1012(a).

11. The FTC has exercised jurisdiction over insurance companies in different contexts. In one case, the FTC took action against a firm for deceptive advertising in a state in which it was not licensed to do business. The FTC's jurisdiction was upheld on the basis that there was no effective state regulation because the firm was effectively beyond the reach of the state. See FTC v. Travelers Health Association, 362 U.S. 293 (1960).

As for the states, seventeen have adopted the model "Insurance Information and Privacy Protection Act" prepared by the National Association of Insurance Commissioners (NAIC). The Act includes provisions for notice, use and disclosure, and access. Also, almost all states have adopted the NAIC's model "Unfair Insurance Practices Act," which specifically targets unfair trade practices in the insurance industry.

12. The term "customer proprietary network information “means information that relates to "the quantity, technical configuration, type, destination, and amount of use of a telecommunications service" by a customer and telephone billing information. 47 U.S.C. § 222(f)(1). However, the term does not include subscriber list information. Id.

13. The legislation does not expressly define "personally identifiable information."

14. This authority encompasses the right to redress for privacy violations under both section 222 of the Communications Act or, with respect to cable subscribers, under section 551 of the Cable Act amendment to the Act. See also 47 U.S.C. § 551(f)(3) (civil action in federal district court is a nonexclusive remedy, offered "in addition to any other lawful remedy available to a cable subscriber.")

15. However, the absence of direct damage to a complainant is not grounds to dismiss a complaint. 47 U.S.C. § 208(a).

16. We understand there are efforts underway within the industry to address the privacy issue. Industry representatives have discussed the proposed safe harbor principles and their possible application to air carriers. The discussion has included a proposal to adopt an industry privacy policy with participating firms expressly subjecting themselves to DOT authority.